Group-IB conducted an investigation on the state and dynamics of today’s
market of computer crimes and current cyber threats for the year 2012
and first quarter of 2013. This investigation was assisted by experts from
computer incidents response center CERT-GIB.

This report examines current information security threats, analyzes the trends
in the cybercrime world, gives statistical assessments of the cybercrime market
and forecasts regarding its change in the near future (2014-2015).

Get your personal download

One-time link for your download will be sent to your email address

Full name*

Email*

Company name

Job title

Phone number

Assessment of the cybercrime market

Internet fraud

Online banking fraud

Caching other illegal profits

Phishing

Electronic money theft

$490MM

$122MM

$55MM

$30MM

$697MM

Spam

Medicines and various counterfeit products

Counterfeit and fake software

Other (dating, education, travel, etc.)

$142MM

$135MM

$553MM

$830MM

Internal market (C2C)

Selling of traffic

Selling of exploits

Selling of installs

Anonymization

$153MM

$41MM

$27MM

$9MM

$230MM

DDoS-attacks

$130MM

Other

$168MM

Internet fraud

Online banking fraud

Caching other illegal profits

Phishing

Electronic money theft

$446MM

$89MM

$57MM

$23MM

$615MM

Spam

Medicines and various counterfeit products

Counterfeit and fake software

Other (dating, education, travel, etc.)

$173MM

$120MM

$493MM

$786MM

Internal market (C2C)

Selling of traffic

Selling of exploits

Selling of installs

Anonymization

$167MM

$52MM

$33MM

$9MM

$261MM

DDoS-attacks

$109,8MM

Other

$166MM

Internet fraud decrease

The cybercrime market in Russia reduced by 6% in 2012, while experiencing multidirectional
movements inside. A drop in online bank theft was the most important factor that
led to reduction in cybercrime. In analyzing the causes of decline in thefts, Group-IB analysts highlighted the following factors.

Successful operations aimed at dismantling criminal groups.

Organization of interbank list of drops.

Deployment of antifraud solutions by banks.

Botnet monitoring and compromised data extraction.

Counterfeit spam growth

In spite of general descrease of spam, it should be noted that there was a 22% increase in the sale of various
counterfeit products through e-mail spam: counterfeit medicines, drugs, accessories. The increase was caused by general development of this illegal business and emergence of new affiliate programs.

Growth of cybercriminal expences

It is also noteworthy that the domestic C2C market grew by 13%, meaning there
was an increase in infrastructure spendings on botnets and malware distribution.
This trend is related to a general increase in the security level of client workstations
and to the technological improvement of the software used.

According to Group-IB,
there was an average
of 44 thefts carried
out from online banking
systems in 2012

In 2011, auto-stealing
module for the
Carberp malware
was developed and
actively deployed

Within last year and a half Group-IB has registered at least 6 cases of unauthorised access to IT-infrastructure of major financial intitutions in Russia resulting huge money thefts and losses (millions of dollars). Noteworty, that in 70% cases malware and banking trojans played major role.

Growing use of "avtozaliv" technology

Even though online banking fraud in Russia has decreased, the total amount is still very high. In many respects it could be accounted for use of new money theft techniques, particularly active deployment of "avtozaliv" (automated unauthorised money transfer transaction) functionality against popular remote banking systems.

Attacks on online-trading clients

In 2012 Group-IB, for the first time, registered targeted attack on computers with the goal of stealing access credentials and keys for
online trading systems, such as QUICK and FOCUS IV online. Even though no thefts were registered, these cases show cybercrimes new point of interest.

Trojans for POS-terminals

In March 2013, Group-IB experts found new malware called Dump Memory
Grabber in one of the underground sites. This malware is aimed at infecting
cash computers that have POS terminals attached to them, which are common
in retail trade and catering networks in the United States. As a result of operation, a few thousands of compromised banking cards were found and transferred
to payment systems, affected banks and law enforcement agencies for investigation.

Within last year and a half Group-IB performed security audit and penetration testing of dozens online banking systems, web-services and mobile applications.

Activity on this field turned out very helpful for Group-IB clients:
on average in each analysed resource 6 serious security flaws were found.

The cybercrime gang
rented an office in
central Moscow under
the guise of a data
recovery center

The botnet grew by
an average of over
30,000 newly
infected computers

More than 5 000
individuals and
companies were
robbed by this
cybercrime gang

Dismantling criminal groups

One of the most important direction in Group-IB work is investigations and cybercrime elimination.
Below a few interesting cases from Group-IB practice is described.

Cybercrime gang "Carberp"

Carberp gang was created in 2008 and had at least 8 active members. During next 4 years they commited thousands of thefts from corporate banking accounts in Russia.
During investigation, it was found out that the attackers used the Carberp malware to replicate digital signature keys, intercept passwords and make screen
shots being used by users in an online banking system. On 14 March 2012, the FSB and the Russian Ministry of Internal Affairs, assisted
by Group-IB arrested members (8 people) of Carberp organized criminal group

Cybercrime gang "Hodprot"

This criminal group began its activities in 2009 and specialized in stealing money
from corporate bank accounts. The fraudsters used a malicious program
called Hodprot at the beginning of their criminal activities, and later changed to
Carberp in 2011.

As of 14 October 2011, the size of the botnet was about 700,000 computers, and
by 20 December 2011, it reached 1.5 million computers.
A total of 19 people who were mostly pourers had access to the botnet control
panel. They manually checked each bank customer, left comments to interact
with each other and carried out unauthorized were transfers. Germes had big plans to develop the illegal business and so planned to hire
skilled developers from China who he will offer to relocate to Russia.

On 16 May 2012, the Economic Security and Anti-Corruption Department of the
Russian Ministry of Internal Affairs for Moscow with support from Group-IB experts
made the first arrest of members of this criminal group. Six people were
arrested. Among those arrested were pourers, traffers, server administrators,
and those maintaining exploit packs.
On 5 June 2012, the organizer of the criminal group Germes alias Arashi was detained. At the time of his arrest, there were over 6 million computers
in his botnet.

Hameleon arrest

There was an upsurge in cases of theft against individuals at the end of December
2011 and January 2012. These thefts had the following common features: just
before the theft, user phone numbers that received SMS messages with onetime
passwords stopped working.

As a result of conducted investigation Group-IB revealed whole fraud scheme, which included many steps: customer infecting, collection of additional information with the help of web-injects,
illegal re-issuing of SIM-card and finally money theft.

On 29 May 2012, the Russian Ministry of Internal Affairs, assisted by Group-IB
experts, arrested the author of the web injects and server administrator where
the stolen data were sent to. It was a forty-year old resident of Tolyatti, a programmer
by training, who was involved in criminal business in August 2011. The
attacker confessed immediately after arrest.

Report on the work of CERT-GIB

Within 2012 incident response and security team CERT-GIB 2012 processed more than 3200 requests.

In accordance with an agreement with the Coordination Center for TLD RU20,
one of the responsibilities of CERT-GIB is to combat the use of domain names for
phishing, unauthorized access to third-party information systems, distribution
and management of malware (botnets).

Botnets shutdown

Preventing the functioning of botnets and shutting down botnet command
servers are one of the important achievements of Group-IB. Below we consider
four of the most interesting examples.

Dragon

At the end of 2012, some banking networks suffered DDoS attacks. Investigations
carried out established that a botnet called Dragon was involved in the attacks.
After establishing the exact location of the attacker, a group of special agents,
assisted by Group-IB forensic experts, was dispatched to that location and
the cybercriminal (a 24-year-old man) was arrested. The Dragon botnet, which
caused an estimated loss of tens of thousands of U.S. dollars, was shut down.

Grum

In the summer of 2012, in cooperation with malware intelligence company
FireEye, experts from Group-IB and CERT-GIB shut down21 Grum botnet servers,
which were regarded as the third largest in the world. This botnet was used
extensively for sending pharmaceutical spam e-mails through its work with
affiliate programs involved in counterfeit medicines (Viagra, Cialis, etc.).

Slenfbot

The botnet built with the Slenfbot worm, which was distributed through
compromised websites and instant messaging clients (Windows Live Messenger,
AOL Instant Messenger (AIM), Yahoo! Messenger, Google Chat, Facebook Chat,
ICQ and Skype) has an estimated size of 600,000 compromised computers.
In June 2012, incidents response center CERT-GIB identified the control
servers of Slenfbot botnet. Through international cooperation, this botnet was
successfully shut down.

Virut

In January 2013, the Spamhaus Project announced it has shut down Virut botnet
– a worm that spreads through removable drives and network shares. Virut was
first detected in 2006 and became a serious threat with an estimated size of
more than 300,000 compromised computers.
Spamhaus has made numerous unsuccessful attempts before to shut down the
botnet. In the process of shutting down Virut, the Spamhaus Project reached
out to CERT.pl, Austrian CERT and CERT-GIB. All the Virut domains within the
.ru ccTLDs. were shut down within some hours as a direct result of cooperation
with Group-IB.